Package umask issues
Mike A. Harris
mharris at www.linux.org.uk
Tue Jul 12 09:48:45 UTC 2005
Warren Togami wrote:
> Hi Spot,
>
> During FUDCON2 one of the TODO's I promised you was to send details
> about package umask issues. This is only an issue for sysadmins when
> they insist on using a system umask of 077 supposedly for some hardening
> reason. Two kinds of packages then have problems:
>
> 1) Packages with unowned files or directories. This of course has an
> obvious solution, simply own it. This is already covered in our
> packaging guidelines. MUST right?
>
> 2) Packages which create unpackaged files in scriptlets like %post
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136030
> This is one example where this caused a problem. The quick and ugly
> workaround is to explicitly set umask at the beginning of the scriptlet.
> But the correct fix would be to make it so the software does not create
> files in %post. The latter solution is not always trivial.
>
> Should we make #2 a SHOULD or MUST in guidelines?
Fonts intended to be useable systemwide by all users, must get
installed on the system with read mode set for user, group, and
other, at a minimum. In order for these fonts to then be useable
by the X11 core fonts subsystem (legacy font support, mostly
used by Xt/Xaw apps and other old stuff), the font metadata files
(fonts.dir, fonts.scale, fonts.alias) must also be world readable
(generally mode 0644 is preferred).
Any font package that installs fonts and prepares them for use
by the core fonts system, by calling chkfontpath,
ttmkfdir/mkfontscale, mkfontdir, must be invoked in an environment
which has umask set to 0133 to ensure the metadata files are
created with the proper permissions to be seen by all users. Of
course this assumes that the intention of a given rpm is to make
the fonts useable systemwide, and not limited to a specific user
or group, etc.
Previously we used to patch mkfontdir to force fonts.dir and
encodings.dir metadata files to be mode 0644, however XFree86.org
rejected the patch, so I dropped it in the next OS release and
changed the initscript for xfs to force "umask 0133" instead,
however that only works if all font packages correctly set the
umask upon installation as well.
It's been ages since I've seen any bug reports of the nature
of fonts missing which could be traced to improper font installation
permissions however, so this may not be a huge problem nowadays
simply out of coincidence or luck.
Nonetheless, I thought I'd mention it in the thread upon request
of Warren.
TTYL
More information about the Fedora-maintainers
mailing list